| Summary: | spamassassin new security issues CVE-2020-1930 and CVE-2020-1931 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, mageia, sysadmin-bugs, tmb |
| Version: | 7 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7-64-OK | ||
| Source RPM: | spamassassin-3.4.3-1.mga7.src.rpm, spamassassin-rules-3.4.3-1.mga7.src.rpm | CVE: | CVE-2020-1930, CVE-2020-1931 |
| Status comment: | |||
|
Description
David Walser
2020-01-30 03:59:15 CET
David Walser
2020-01-30 03:59:25 CET
Whiteboard:
(none) =>
MGA7TOO Suggested advisory: ======================== The updated packages fix security vulnerabilities: Nefarious rule configuration (.cf) files can be configured to run system commands with sa-compile. (CVE-2020-1930) Nefarious rule configuration (.cf) files can be configured to run system commands with warnings. (CVE-2020-1931) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1930 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1931 https://spamassassin.apache.org/news.html https://svn.apache.org/repos/asf/spamassassin/branches/3.4/build/announcements/3.4.4.txt ======================== Updated packages in core/updates_testing: ======================== spamassassin-3.4.4-1.mga7 spamassassin-sa-compile-3.4.4-1.mga7 spamassassin-tools-3.4.4-1.mga7 spamassassin-spamd-3.4.4-1.mga7 spamassassin-spamc-3.4.4-1.mga7 perl-Mail-SpamAssassin-3.4.4-1.mga7 perl-Mail-SpamAssassin-Spamd-3.4.4-1.mga7 spamassassin-rules-3.4.4-1.mga7 from SRPMS: spamassassin-3.4.4-1.mga7.src.rpm spamassassin-rules-3.4.4-1.mga7.src.rpm Whiteboard:
MGA7TOO =>
(none) Apache has issued advisories for this today (January 30): https://www.openwall.com/lists/oss-security/2020/01/30/3 https://www.openwall.com/lists/oss-security/2020/01/30/2 The advisories have a little more detail on the issues. Please add those to the References. Installed and tested without issue. I'm using spamassassin with kmail and its evaluating messages correctly. Its in use for several days without issues. ---------------------------------------------------------------------- X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on marte.home X-Spam-Level: X-Spam-Status: No, score=-1.5 required=4.0 tests=BAYES_00,HTML_MESSAGE autolearn=ham autolearn_force=no version=3.4.4 ---------------------------------------------------------------------- System: Mageia 7, x86_64, Plasma DE, LXQt DE, kmail, Intel CPU, nVidia GPU using nvidia340 proprietary driver. $ uname -a Linux marte 5.4.17-desktop-1.mga7 #1 SMP Sat Feb 1 21:57:04 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep -i spamassassin spamassassin-3.4.4-1.mga7 spamassassin-rules-3.4.4-1.mga7 perl-Mail-SpamAssassin-3.4.4-1.mga7 CC:
(none) =>
mageia Good enough for me. Validating. Advisory in Comment 1. Keywords:
(none) =>
validated_update Debian and Ubuntu have issued advisories for this on February 1 and 4: https://www.debian.org/security/2020/dsa-4615 https://usn.ubuntu.com/4265-1/
Thomas Backlund
2020-02-09 19:31:57 CET
CC:
(none) =>
tmb An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0079.html Status:
ASSIGNED =>
RESOLVED |